Jump to content
  • 0

Paypal Merchant upgrade to TLS 1.2


Digitalwork

Question

Blesta,

We currently have Blesta 3.6.2 and Paypal Payflow Pro + ACH (ver 1.2.1) gateway.  We got an email from Paypal that after performing Merchant Security Testing, we were impacted if they made the switchover to complete supporting only TLS 1.2 

Do we need to upgrade Blesta or the gateway plugin in order to accomplish this ?

 

Thanks. 

Link to comment
Share on other sites

10 answers to this question

Recommended Posts

  • 1
2 minutes ago, Digitalwork said:

Gotchya.

I host it over digital ocean so i can definitely upgrade the droplet as needed. I will upgrade to Centos 6.9. 

I understand the OS piece, but does this have anything to do with the SSL Protocols that are being set in the webserver piece were Blesta is running ?

It doesn't have anything to do with Blesta specifically, but rather SSL/TLS on the server. There are 2 parts to it SSL/TLS in Apache (inbound requests) and SSL/TLS in PHP (outbound requests). CentOS 6 < 6.8 can do TLS 1.2 in Apache for inbound requests, but not outbound requests. This is why it's important to upgrade to 6.8 minimum. I think 6.9 is latest in that release, so that should be ok. No issues with CentOS 7.x

Link to comment
Share on other sites

  • 0

You don't have to upgrade your OS or kernel for this(even it is suggested) except if you are using centos 5.x.x and even if you upgrade OS if it isn't enabled it will still be non supported ...,you need to enable  tls 1.2 and you can still support 1.1 and older ...in worst case you will have to upgrade Open SSl even you probably have one that support tls 1.2 just isn't enabled

When it comes to hardcoding which version to use you don't do that on your server..even you can set support for only one..it is better to set widely support backward than client when connecting can hardcore which tls to use if they want..You are in the situation that many clients are connecting and some of them may use older TLS...and chippers and you don't want to reject connection..also this will not only impact payment gateways ...instead it will impact all traffic and many browsers still use older TLS

 

 

For upgrade on centos

SSH as root or SUDO

yum update openssl libcurl

Enable TLS 1, 1.1 ,and 1.2

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

Want remove some...just delete from command which you want

 

You can test your SSL connection and SSL and TLS versions supported at https://www.ssllabs.com/ssltest/index.html 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...